Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General

Results in Brief

The Department has developed a computer security Incident Response Plan that provides standard reporting procedures that all Department components are required to follow. In December 2003, the Department developed a template to standardize procedures Department-wide for responding to and handling computer security incidents. The template includes detailed instructions for handling and reporting computer security incidents. The Department’s Computer Emergency Readiness Team (DOJCERT) developed this Incident Response Plan template under the direction of the Department’s Chief Information Officer and has updated it periodically to reflect new statutory and Office of Management and Budget (OMB) requirements and emerging computer security threats.5

In November 2006, the Department included in the template for the first time reporting requirements for PII and other data loss incidents. The new requirements include a 1-hour timeframe for reporting these incidents and define the information that components need to gather when a PII or other data loss occurs or when data has been potentially compromised. The 1-hour timeframe was first established by OMB in July 2006 in a memorandum issued to the Chief Information Officers of all federal agencies.

All of the Department’s components are required to develop their own Incident Response Plans that conform to the template. The nine Department components the OIG reviewed have all developed their own component-specific Incident Response Plans that follow the template. However, as of April 2007, two of the nine components had not yet submitted their revised Incident Response Plans to DOJCERT for approval.

To supplement their Incident Response Plans, the components have developed internal policies, memorandums, or practices for their employees that provide more detailed reporting and incident response procedures within their own internal chains of command. While all nine components reviewed have multiple policies, two of the components have policies that provide contradictory or faulty chain-of-command reporting procedures. Specifically, ATF’s staff has received contradictory instructions on which office is the primary point of contact for reporting computer security incidents. In addition, the USMS’s policy instructs employees to report computer security incidents to staff titles and internal departments that either no longer exist or are inaccurate.

Four of the nine components have developed separate procedures for staff to follow if an incident is reported after normal business hours. One component’s procedures were the same 24 hours a day. The remaining four components have no specific written procedures covering such incidents.6 We found that at least 19 percent of the incidents reported between December 2005 and November 2006 occurred after hours (6:00 p.m. to 6:00 a.m.).

Reporting Procedures

Officials interviewed in the nine components told us that they believed that their employees were following the correct internal chain-of-command reporting procedures when reporting computer security incidents. Although this review did not examine or verify that employees actually were following Department or component procedures, we did note two issues, one specific to a component and one affecting multiple components. In reviewing the information that one component – the Federal Bureau of Investigation (FBI) – provided and information from DOJCERT’s database, we noticed a discrepancy between the number of lost electronic devices that had been reported within the FBI and the number of lost electronic devices that the FBI had reported to DOJCERT.7 We sought additional information to determine whether the FBI’s employees were following reporting procedures. We also found indications that most of the components were not always reporting computer security incidents in a timely manner.

Compliance with Reporting Procedures

We found that the FBI did not always follow its or the Department’s reporting procedures. Specifically, the FBI did not report all incidents involving the loss of electronic devices to DOJCERT or all incidents involving classified information to the Department’s Security and Emergency Planning Staff.8 The FBI received internal reports of 35 lost or stolen laptops between December 2005 and November 2006. Although the FBI is required by the Department’s Incident Response Plan template to report such losses to DOJCERT, the FBI did so for only 7 of those laptops. Additionally, the FBI received internal reports of 107 classified computer security incidents during that same time period, but did not report any of these incidents to the Security and Emergency Planning Staff as required in the Department’s Security Program Operating Manual. This manual requires all Department components to report all classified incidents related to information technology (IT) to the Department’s Security Officer and DOJCERT. We also did not examine whether the Department’s other 31 components are reporting all classified computer security incidents to the Security and Emergency Planning Staff and DOJCERT as required.

Timeliness of Reporting All Computer Security Incidents

We examined 1,501 computer security incidents in the DOJCERT Archer Database that were reported by the 9 components between December 1, 2005, and November 30, 2006, and determined that the components were not always meeting the timeframes established in the Incident Response Plans. In particular, we found that the components were not meeting the 1-hour reporting timeframe established by the Department and OMB for reporting computer security incidents involving PII.9 Only one of the nine components reviewed, the Tax Division, submitted timely reports for nearly all of its computer security incidents.

The DOJCERT Incident Response Plan template and the components’ Incident Response Plans include reporting timeframes for each of seven categories of computer security incidents, such as Unauthorized Access and Improper Usage, that all Department components are required to report to DOJCERT.10 We found that between December 2005 and November 2006, the Tax Division made timely reports for 95 percent of its reported computer security incidents. The other eight components made timely reports for between 37 percent and 84 percent of their security incidents.

For PII incidents in the nine components, we found that only 15 percent were reported to DOJCERT within 1 hour of occurrence, and none of these incidents were subsequently reported to US-CERT within the same 1-hour timeframe. Further, DOJCERT reported only 12 percent of PII incidents to US-CERT within 1 hour of the time it received notification from the components.11 Officials from three components remarked that the 1-hour timeframe was impractical and unrealistic.

OMB’s guidance and the Department’s guidance differ as to when the 1-hour timeframe begins and ends. On July 12, 2006, OMB issued a memorandum requiring federal agencies to report computer security incidents involving PII to US-CERT within 1 hour of discovery.12 The Department’s November 2006 revision of the Incident Response Plan template requires that the components report PII incidents to DOJCERT within 1 hour of discovery. Our analyses found that the guidance in the DOJCERT Incident Response Plan template appears to conflict with the July 12, 2006, OMB memorandum. The timeliness standard in OMB’s policy requires that incidents be reported to US-CERT within 1 hour of discovery or detection. By allowing 1 hour for reporting just to DOJCERT, the Department’s incident response plan does not ensure compliance with OMB’s 1-hour reporting requirement for US-CERT. Component staff, in fact, told us that employees interpret the OMB requirement to mean that they have 1 hour to report to DOJCERT.

For our analysis, we assessed the amount of time that that elapsed between an incident’s occurrence and when the component reported the incident to DOJCERT. For those incidents that were reported within 1 hour to DOJCERT, we determined if they were also reported to US-CERT within the same 1-hour period. We also assessed the amount of time that elapsed between when DOJCERT received notice of an incident and when DOJCERT reported that incident to US-CERT.

Ensuring that All Incidents Are Reported

Officials from the nine components reviewed all identified training as the primary method for ensuring employees are aware of the reporting requirements. The two training courses most often mentioned were the Department’s annual Computer Security Awareness Training and the components’ Information Technology Rules of Behavior.

Notification to Affected Parties

There is no Department requirement to notify the affected parties in the event of loss of PII, and none of the nine components we reviewed has a policy addressing the notification of affected parties. Further, according to a recent Government Accountability Office report, “... existing laws do not require agencies to notify the public when data breaches occur....”13 However, the Department’s Office of Privacy and Civil Liberties is currently finalizing a Department-wide notification policy.

Determining Type of Data Lost

To determine if sensitive information may have been lost or compromised during a reportable computer security incident, all nine components stated that they interview the employee who reported the incident. For most components, this consists of informal questioning in an attempt to assist the employee in reconstructing what occurred and to identify the information that a lost electronic device contained. Five components also supplement the employee’s interview by using computer forensic techniques to determine what information or files were stored or accessed by the employee. For example, the Criminal Division and the Drug Enforcement Administration reported that for incidents involving a lost BlackBerry device, the BlackBerry Exchange Server allows them to identify the e-mails that were received and sent the last time the device was used.

Definitions of Sensitive Information, PII, and Reportable Data Loss

The Department has developed a standard definition for sensitive information but has not developed its own definitions for PII and a reportable data loss. Seven of the components we reviewed have also developed definitions of sensitive information while the remaining two components use the Department’s definition. The components’ definitions are similar to the one the Department issued in its Security Program Operating Manual.

To define PII, the Department relies on OMB’s July 12, 2006, memorandum. However, two components stated that this definition may lead components to over-designate information as PII because the OMB definition is too broad and overly vague. Most of the components expressed the opinion that the Department needs to develop its own definition of PII.

We found no standard Department definition of a reportable data loss. The components provided a variety of answers when defining a reportable data loss. Their responses were generally in line with the causes of data loss that the DOJCERT Incident Response Plan template describes, such as hacker intrusion through network and system defenses or the loss or theft of a laptop, removable storage medium, or portable computing device containing PII or sensitive information.

Best Practices in Increasing Employee Awareness

Four of the nine components are taking additional steps to either minimize unauthorized access to sensitive information or educate employees on their reporting responsibilities. For example:

The Tax Division reinforces employees’ awareness of the 1-hour reporting requirement for loss of PII by posting this information prominently on its intranet.

The Criminal Division displays a variety of security tips, including procedures for reporting computer security incidents, on the computer monitors when employees first log in.

JMD Personnel staff receive verbal briefings on the procedures for reporting computer security incidents when they are given the equipment necessary to use the Justice Secure Remote Access system and also receive a wallet card summarizing those reporting procedures.

BOP policy requires that to remove sensitive information from a BOP facility, an employee must obtain written approval from the Chief Executive Officer (CEO) of the facility. When requesting approval, the medium of the sensitive information (e.g., paper documents, electronic files), a description of the equipment being used and the contents, and the purpose for the removal must be documented along with the CEO’s approval.14

Recent Developments and Future Plans

The Department frequently updates its guidance on data loss incidents and privacy issues and changes its policies to address newly identified needs. For example, the Department’s Office of Privacy and Civil Liberties and Office of the Chief Information Officer are developing a Department-wide policy on notifying affected parties in the event of loss of PII. Once this policy is finalized, DOJCERT plans to issue an addendum to its Incident Response Plan template explaining the notification procedures and the components’ roles in them. Additionally, the Department stated that DOJCERT plans to release an Incident Response Handbook during fiscal year 2007. The handbook will provide guidance to the components on information-gathering techniques during and following an incident, techniques for determining the type of data included on lost equipment, and methods for identifying the level of residual risk associated with each incident.

Conclusion and Recommendations

The Department has developed an Incident Response Plan template to standardize the procedures that all Department components are required to follow to report computer security incidents. However, as of April 2007, two of the nine components have not updated their Incident Response Plans to conform to the Department’s November 2006 revision, which requires all computer security incidents involving PII to be reported within 1 hour. The same two components have also issued internal policies that have contradictory instructions on the primary point of contact for reporting computer security incidents and that direct employees to contact officials with non-existent titles in departments that no longer exist. Another area where we found divergence among the components was in procedures for reporting incidents that occur after normal business hours. Four of the components have developed additional reporting procedures for incidents reported after hours, one component’s procedures are the same 24 hours a day, and the remaining four components do not have specific written procedures covering after-hours incidents.

While all of the components stated that they believed their staff followed procedures established for reporting computer security incidents through their chains of command to component headquarters, we found that the FBI was not always following the reporting procedures outlined in its or the Department’s Incident Response Plans.

We also found that components were not always reporting computer security incidents to DOJCERT within the timeframes established in the Department’s Incident Response Plan template. In particular, the components were not consistently reporting PII incidents within 1 hour to DOJCERT, and none of the PII incidents in the Department were reported to US-CERT within 1 hour of discovery or detection. DOJCERT and component staff interpret the guidance from the Department and OMB differently as to whom the incident is to be reported to within 1 hour. Therefore, we believe clarification is needed on who must receive the report within 1 hour of discovery or detection – component IT staff, DOJCERT, or US-CERT.

Neither the Department nor any of the components we reviewed have developed procedures for notifying affected individuals in the event of a loss of PII, which could cause a delay in notifying affected individuals and increase their risk of falling victim to fraud or identity theft. The Department is developing a policy on this issue, and we believe it should be promptly finalized and distributed to Department components.

The Department has issued a standard definition of sensitive information in its Security Program Operating Manual, and seven components have developed component-specific definitions of sensitive information that are similar to the Department’s definition. However, the Department has not developed its own definitions of PII and what constitutes a reportable data loss. At least seven of the nine components expressed the opinion that the Department should develop its own, more specific definition of PII.

Four components have developed what we consider to be Best Practices to increase employee awareness of the reporting requirements for computer security incidents. We believe the Department and its other components should examine these practices and determine if any should be adopted Department-wide.

To help the Department improve its computer security incident reporting procedures, including the procedures for reporting data loss and classified incidents, we recommend that the Department:

Require all components to ensure their procedures cover reporting of after-hours incidents.

Review the components’ procedures for reporting classified incidents to ensure those procedures comply with the standards in the Department’s Security Program Operating Manual.

Clarify the requirement that all losses of PII be reported within 1 hour and to whom so that all Department employees understand who to report to and when the 1-hour timeframe begins and ends.

Ensure all components meet the established reporting timeframes.

Promptly implement a Department-wide policy for notifying affected individuals in the event of a loss of PII.

Develop a Department-specific definition of PII.

Consider whether any of the procedures described as “Best Practices” should be implemented across the Department.

Ensure that components update their internal policies to reflect correct reporting procedures in conformance with the DOJCERT Incident Response Plan template and contain up-to-date titles of internal departments and staff.

Footnotes

DOJCERT is the organization to which all Department components are required to report computer security incidents, including PII and other data loss incidents. Established in 2000 within the Department’s Office of the Chief Information Officer, it operates 24 hours a day, 7 days a week. A more detailed explanation of DOJCERT’s role and responsibilities is provided in the Background section of this report.

Two of these components have developed draft procedures, but as of April 2007, those procedures had not yet been issued.

DOJCERT maintains the Department’s Incident Response and Vulnerability Patch Database. commonly called the Archer Database. See pages 18-19 of this report for a more detailed explanation of how we identified this discrepancy.

The Security and Emergency Planning Staff (SEPS) is required to track all reports of losses of classified information for the Department. A more detailed explanation of SEPS’s role and responsibilities is provided in the Background section of this report.

DOJ, Reporting Incidents Involving Data Loss and Personally Identifiable Information, Vance Hitch, CIO, August 7, 2006; and OMB Memorandum M-06-19 for Chief Information Officers, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, Karen S. Evans, July 12, 2006. The former document establishes a 1-hour reporting timeframe after the discovery or detection of a security incident for components to report to DOJCERT and the latter document established a 1-hour timeframe for DOJCERT to report to the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT). US-CERT is a partnership between the Department of Homeland Security and the public and private sectors established in 2003 to protect the nation’s Internet infrastructure.

See Appendix XII for a description of the seven categories and the associated timeframes. An additional category is used for training exercises only.

The period we used for measuring timeliness in reporting PII incidents was between July 12, 2006 (when OMB began requiring that PII incidents be reported within 1 hour), and November 30, 2006.

OMB Memorandum M-06-19.

Testimony of David M. Walker, Comptroller General, Government Accountability Office, Privacy: Preventing and Responding to Improper Disclosures of Personal Information (GAO-06-833T), before the House Committee on Government Reform, June 8, 2006.